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Abstract 

Common Knowledge Logic is meant to describe situations of the real world 
where a group of agents is involved. These agents share knowledge and make 
strong statements on the knowledge of the other agents (the so called common 
knowledge). But as we know, the real world changes and overall information on 
what is known about the world changes as well. The changes are described by dy- 
namic logic. To describe knowledge changes, dynamic logic should be combined 
with logic of common knowledge. In this paper we describe experiments which 
we have made about the integration in a unique framework of common knowledge 
logic and dynamic logic in the proof assistant COQ. This results in a set of fully 
checked proofs for readable statements. We describe the framework and how a 
proof can be conducted. 
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1 Introduction 

Common knowledge logic is about the knowledge of the world, whereas dynamic logic 
is about the changes of the world. Both are presented as modal logic. In this paper we 
propose to analyze reasoning in a combination of those logics through a mechanization 
by a proof assistant. 

By experience, we know that the knowledge we have of the world is not perennial, 
but is meant to evolve. Therefore, any faithful and complete approach of reasoning 
of agents about their surrounding world requires to take that evolution into account 
and to combine a logic that describes the state of the knowledge at a given time and 
a logic that accounts the changes due to external events. This kind of work is known 
as belief revision (or knowledge revision in our case) and is advocated by Johan van 
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Benthem J6j. In this paper, following the work of J3] |4] [5] |6] [9], we combine two 
logics: the first logic is common knowledge logic [fl~|[T2l[IZl|20) and the second one is 
dynamic logic |[T3l [T4l . The combination of both is called dynamic logic of common 
knowledge. The idea is not new but the novelty is that we do that combination in a 
proof assistant. 

As we are neither designers of modal logic, nor philosophers, but only proof assis- 
tant users, what is presented in this paper is not a general discussion on the interest or 
the advantage of combining logics or how this can be made more appropriately. What 
we present is a record of experiments done on a mechanization of dynamic logic of 
common knowledge in Coq, one of the proof assistants available on the market. By the 
use of higher logic and mechanization this activity sheds light on the reality of reason- 
ing in dynamic logic of common knowledge and on how the two components, namely 
epistemic and dynamic fit together. This paper does not address any comparison on 
using one proof assistant or another in that kind of implementation exercise. We feel 
that actually higher order proof assistants like ACL-2 [15], HOL |25l, Isabelle |22|, 
LEGO [23], PHoX ||24) or PVS @, are not so deeply different w.r.t. modal logic and 
that such a comparison would not be informative for the reader. We prefer to focus on 
the experience itself, hoping that what has been learned will help designers of logics. 
We have taken Coq, because we practiced it 1 18] and we have an expert environment 
around us. This paper is essentially a careful examination of what is necessary to make 
an actual proof of correctness. We have chosen the muddy children puzzle (again not a 
very original choice) and we introduce the reader to the Coq script. 

Why experiences on a proof assistant? 

We noticed that most of the presentations about logic of common knowledge or dy- 
namic logic or a combination of both were made either through a model approach 
where no specific care is given to actual deductions, with rules and axiomo When 
proofs are given they are done at an intermediary level of abstraction, whereas we ad- 
vocate a deep level, where no detail is left over. We are typically at a proof theory 
level. With a proof theoretic background, we feel that proofs and deductions are of 
main importance as it has been shown with most of experience with proof assistants. 
To summarize, this paper is about the actual integration of common knowledge and 
dynamic logic in a unique framework in a proof assistant. It relies on a previous work 
by the first author [18] and is associated with two scripts: 

http: / /per so .ens-lyon . f r/pierre . lescanne/COQ/EpistemicLogic . v8 

and 

http : //perso . ens-lyon . f r/pierre . lescanne/ COQ/EpistemicAndDynamicLogic . v 

1 A notable exception related to our approach is the formulation of linear temporal logic in COQ done by 
Solange Coupet-Grimal Her development is a shallow embedding when ours is a deep one. 
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2 Dynamic logic of common knowledge 



Common knowledge logic 

Common knowledge logic is a modal logic with two main modalities. One modality Kj, 
which is associated with each agent i, is the knowledge modality. It is meant to express 
the knowledge an agent has on statements, facts and propositions. For instance, KjQ 
reads as i knows . The modality Cg, which is associated with a group G of agents is 
the common knowledge modality. Cg{) translates the fact that a knowledge is common 
to a group G of agents, not only each agent in the group G knows , but also he knows 
that the others know and he knows that the others know that the others know , and this 
recursively. Cg() reads as is a common knowledge of the group G. It is formalized as 
a fixed point by an axiom and a rule: 

i7- D • . I — p — > cp A£gP 
b ixFointc GreatestFixPointc 



Dynamic logic 

Dynamic logic makes events modalities. There are as many modalities as there are 
events. If a is an event, then [a] is a modality and one writes [a] the proposition 
modified by an event a. If an universe satisfies , after the event a has been performed 
on it, the transformed universe satisfies [a]. 



Hilbert-style 

Hilbert-style is what has been chosen in the COQ implementation. It is convenient both 
from the point of view of its presentation and from the point of view of its mechaniza- 
tion in a proof assistant. Therefore the forthcoming rules and axioms will be presented 
in that framework. 

The reason why one cannot use a natural deduction of a sequent calculus approach 
is essentially due to the Generalization Rule. If one accepts such a rule in natural 
deduction, one gets 

This requires to extend the operator Kj to contexts like F. If instead of Kj one uses 
a modality □, one says that □(r) is a "boxed context" . Actually linear logic IfTTI is 
perhaps the archetypal modal logic and the equivalent of Kj is the modality of course 
written "!". The equivalent of Generalization Rule is a rule called also of course. 
Without that rule the proof net presentation is somewhat simple fl6l . Its introduction 
requires a machinery of boxes which increases its complexity. See [2 | for a discussion. 



The axioms 

The axioms of modal logic are those of classical logic plus two axioms and one rule 
for each modality M: 
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• Normalization axiom K M : I — M<p — » M(<p — > V|/) — » M\|/ 

• Necessitation axiom Tm'- I — — * 9 

• Generalization rule Gen^-' 

I — M(p 

These axioms of modal logic have to be duplicated for dynamic logic and common 
knowledge logic. 

2.1 Epistemic and dynamic modalities: purely epistemic proposi- 
tions 

The central issue of this paper is to show how to integrate common knowledge and 
dynamic logics in a unique framework for using in a proof assistant. First we define a 
logic that we call (see FigureQ}. An interesting feature of Tg is axiom KT1: 

V : proposition Va : event Vi € G, I — Kj[a] — > [o.]Kj 

It is well known in epistemic-temporal logic [ 10] and is appropriate for dynamic logic 
of common knowledge. It reads "if agent i knows that, after event a, (p holds, then 
one can infer that, after event a, agent i knows that (p holds". This axiom allows 
commuting epistemic and dynamic modalities in one direction. Note that the converse 
is quite dubious in natural language and would certainly be rejected by philosophers. 
Indeed if after a, I know that holds, because event a is precisely to let me know 
proposition , then there no reason to infer that / know that has to hold after a. But 
looking carefully at axiom KT1, one notices that event a is transforming not actually 
the world in its physical reality, but the knowledge the agent has of it. Therefore to 
avoid troubles and paradoxes, we consider only events a that are "purely epistemic". 
This means that in our approach of dynamic logic of common knowledge, we consider 
only actions or events that change the perception of the world which agents have, not 
the world itself. We borrowed this concept of purely epistemic event from A. Baltag [4, 

2.2 The axiomatization of dynamic logic of common knowledge 

For the common knowledge modality Co we have chosen the axiomatization proposed 
and implemented in Coq by the first of us JT8|. The whole dynamic logic of common 
knowledge is made of the following ingredients: 

• the logic T for K and for [a] , 

• the definition of shared knowledge Eq, 

• the definition of common knowledge Cq by a fixpoint axiom and a rule that says 
that it is the greatest fixpoint, 

• the axiom KT1 that makes the connection between dynamic logic and common 
knowledge logic. 
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I — ac tp i — 9 ^(p~^¥ 

Classical MP 

I — (p I — y 

: : Tk — Gen K 

■ -> K, (q> y) -> \— Km -»■ <p ^ i( p 

t Def E 

I — p — > AEqP 
■ FixPointc GreatestFixPointc 



-C G q>^<p/\E G C G <p ^ p ^c G <p 

^ T ^<P „ 

r i r 1/ \ r i M r i W Genu 

■[a]<P- + [a](<P-»V)- > [a]V i— [a]q>->q> i— [a]<p 1 

XT1 

i Kj [cc] (p > [a]^-<p 

Figure 1 : The dynamic logic of common knowledge Tq 



3 A running example: the muddy children puzzle 

The muddy children puzzle will serve as an example to show how dynamic and knowl- 
edge logic have been integrated in Coq. This problem is presented by several au- 
thors ifTol fTl im as an illustration of common knowledge logic. The problem considers 
amazing children who are be able to carry perfectly logical reasoning. 



3.1 The statement 

First, let us recall the puzzle. The reader who knows the puzzle can skip this part and 
jump to Section HI collecting the axioms. We follow more or less the presentation of 
Meyer and van der Hoek 12H . 

n + 1 children are standing in a circle around their father. There are m + 1 (m S 
{0, ...,c}) children with mud on their face. The children can see each other, but they 
cannot see themselves. In particular, they do not know if they have mud on their face. 
Father says aloud: "There is at least one child with mud on its face." Then he asks: 
"Will all children who know they have mud on their face please step forward?" This 
procedure is repeated until, after the m + 1-th time Father has asked the same question, 
all muddy children miraculously step forward. 

The conclusion which happens eventually is the result of a logical reasoning made 
by the children, especially the muddy ones, about what they know initially and what 
they know about the changes on what they know. It is a perfect example of an common 
knowledge and dynamic reasoning which fits with our frameworks. 
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3.2 The formalization 



In this section, we try to say what justified our statements. A reader interested only by 
the formal rules and the mechanized reasoning can jump over the text and go directly to 
the formal statements. This discussion is interesting to understand why we have chosen 
this system of axioms. 

Two events 

In this puzzle, the action are not very elaborated, since after Father's first statement, 
he keeps repeating the same sentence. Therefore we consider two events, one that 
starts the scenario and that we write "D", it is also called the initial event, and one 
that corresponds to the sentence Father repeats and that we will write "*", it is also 
called the progression event. In our dynamic logic of common knowledge, we will 
have two types of propositions: [n] and [*]. We will also write [*]* for [*]...[*] where 
[*] is repeated m times. Clearly [*]° means . In COQ, we will use the identifiers Point 
(abbreviated in [53] in COQ) and Star (abbreviated in [*] in COQ). 

Definitions 

To study this puzzle, we must describe formally the situation and so define basic prop- 
erties with axioms. 

Let c G N and m G {0, ...,c}, so that c+ 1 is the number of children (there is at least 
one of them) and m + 1 the number of muddy ones (there is also at least one of them). 
Let G be the group of all children, of cardinality c + 1 : we identify it with {l,...,c+l}. 

Let fii(i& { 1 , . . . , c + 1 }) be the proposition "child i has mud on his face". 

Let Xj (j G N) be the proposition "at least j children have mud on their face". 

Let Ej (j G N) be the proposition "exactly j children have mud on their face", which 
is defined as follows: 

EQ^g : V/ G N, h- Zj «-> Xj A ^X j+ 1 

what one can read "there are exactly j muddy children if and only if there are at least j 
and at the most j ones". Two trivial properties can be proved from this axiom (the proof 
is made in the COQ file): first, "if there are at least but not exactly j muddy children, 
then there are at least j + 1 ones", which is: 

IMP^ v/eN, KljAne^Vi 

secondly, a principle of exclusion, "there cannot be exactly j and at least j + l muddy 
children", which is: 

EXCLUDE Vj G N, h- -,(X J+ i A£j) 

These propositions describe the "physical world", i.e., the physical state of the 
children, whether they are muddy or not. They form the type physical proposition. 
As we only take into account epistemic events, physical propositions are "persistent", 
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which means they are not modified by epistemic events. This property is axiomatized 
as follows: 

PERSIST Vp : physical proposition Va : epistemic event, I — p — > [a]p 
The initial event and its consequences 

First, Father says loudly that there is at least one muddy child: therefore this propo- 
sition becomes common knowledge. If TRUE is the logical constant, we notice that it 
is the only "true" proposition available to the children initially. The effect of the first 
statement is as follows: 

MCli I — [n]TRUE — ► CgA-i 

this is the first axiom of our formalization. 

The children are not blind, they see each other and they get pieces of information 
from it. The initial event records what they get: every child counts the number of muddy 
children in front of him/her. In particular, the muddy ones see m muddy children, thus 
they get a knowledge about the total number of muddy children, namely m or m + 1 : 

MC1 2 V/eG, i—[d]true -►#•->• ^(emvem+i) 

Defined that way, the initial event is an epistemic event: No further action will 
change the world, only the knowledge the agents own on the world will evolve. There- 
fore the muddy children problem is a paradigmatic example. 

We said that physical propositions are persistent, but they are not the only ones. 
Indeed, the muddy children are able to remember what they have seen initially, in other 
words, the part /j, — > ^,(£m Vem+i) of axiom MCI2 is also persistent: 

PERS M ci 2 Va : event Vi e G,l — 0; -> Ki{t m VEm+i)) -> MO"; ->■ Ki(e m Ve m +i)) 
The final statement 

The problem gets to its end when the muddy children step forward. This happens when 
muddy children know they are muddy. Formally this is 

V/eG, pi -> 

Muddy children are able to infer this statement when they know there are exactly m + 1 
muddy children: as every muddy child sees m ones (a persistent property), he knows 
that he is muddy when he knows there are exactly m + 1 muddy children, i.e. the m 
ones he sees plus him/herself. If a child is muddy and if he knows there are exactly 
m+l muddy children, then he knows he is muddy. This leads to the following axiom. 

MC3 Vi G G, I— m ^Kitm+i^ K { pi 
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The progression event and the increase of knowledge 

The core of the work consists in clarifying formally what is produced by Father's in- 
junction and how this makes the muddy children's knowledge to grow. 

In this scenario, a tempo is given by Father: time is made discrete and is divided 
into time intervals which every agents (here the children) can distinguish by counting 
Father's statements. Therefore, these intervals can be numbered as follows: 

• First interval starts at Father's declaration and ends at Father's first injunction 

• (i + l) th interval goes from i ,h to (;' + l) st injunction. 

After m + 1 injunctions, every muddy child steps forward, as we will prove it in 
our system for dynamic logic of common knowledge. To do so, we need to understand 
better what happens from an interval to another with each Father's injunction. These 
injunctions do not carry much semantics, but they are important from a dynamic logic 
point of view: indeed, each injunction gives a tempo and helps every child in his quest 
of knowledge as it ends the previous interval. Then every child can deduce that no 
child has stepped forward during the previous interval which means that none has been 
able to conclude about his state, these increases the amount of information the children 
have.. 

Indeed, let us consider the first injunction. In the first interval, C G X\ holds and two 
cases occur: 

If m = 0, the only muddy child can say at once, that he is muddy because he is the 
only one to see no other muddy child and after Father's first injunction, he steps 
forward. 

If m > 0, every child sees at least another muddy child, and so, no one can conclude 
whether he is muddy or not. Worst, Father's initial statement of X\ did not tell 
them anything they do not know, but the fact that this statement became common 
knowledge and when no one steps forward at Father's first injunction, every child 
can infer that no one sees no muddy child, this means that every one sees at least 
one muddy child. This can only happen if there are at least two muddy children. 
By an easy reasoning they exclude the case m = 0. 

To be more formal, every child knows that every child knows there is at least one 
muddy child, which leads the children to the following: there are at least two 
muddy children. 

Father's first injunction translates formally into 

\—E G E G \i -> [*]E G ->£i 
which generalizes for any injunction: 

MC2 V/e{l,...,Jfc}, \—E G E G Xj — > [*]E G ^tj 

which is if every child knows that every child knows there are at least j muddy children, 
then after Father's injunction, every child knows there cannot be exactly j ones. 
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4 A knowledge gain lemma 



One can deduce a knowledge gain lemma which says that ;/ every child knows that 
every child knows there are at least j muddy children, then after Father's injunction, 
every child knows there are at least j + 1 ones. Formally 

Lemma 1. GainConn Mj e {1, ...,£}, I — E G E G Xj — ► [*]E G Xj + i 

Proof. Let 7 e{l,. ..,£}. 

PERS 



-Xj -> [*]Xj 
EPers 



-E G E c Xj -> £ C A, 7 - \—E c Xj -> [*]£c^7 
■ MC2 Cm? 



-E c E c Xj -> [*]£ G -.e; \—E c E c Xj -> [*]£g\/ 

AIntro 

^E c E c Xj [*]E c Xj A [*]£ c -£; 

■ */ ADist 



■ E G E G X j — > [*] {E G X j A E G ^z j) 

£/ A Oi'i'f 

— E G EcXj —* [*]E(}(Xj A-<£j) 

■IMP M 



I — E G E G Xj -> [*]£ c A.y +1 

□ 

Summary of the proof of the muddy children puzzle theorem 

A common knowledge induces a nested shared knowledge at any level, the GainConn 
lemma deduced from MC2 axiom allows us to get a picture of the proof of the muddy 
children puzzle theorem, which we called Concl and which states as: 

Concl I — Vm e N V; e G, [u] TRUE -» [*] m fa -> Kim) 

Indeed, initially, X\ is a common knowledge (MCI i), so it is as an arbitrarily nested 
shared knowledge. With each Father's injunction, children are able to make precise 
their knowledge about the total number of muddy children by dropping one level of 
their shared knowledge. Therefore, after j injunctions, they know Xj + \ by dropping 
j depths of their shared knowledge. But since initially this knowledge is arbitrarily 
deeply nested in shared knowledge, after the first m Father's injunctions, every child 
effectively knows A-m+i ■ 

At this point, the muddy children know there are at least m + 1 muddy children; so, 
as they see m ones, they deduce there are exactly m + 1 muddy children (MCI2) and 
they know they are muddy themselves (MC3). At the (m + l) st injunction, they will 
step forward miraculously, as Meyer and van der Hoek say with humor. After our Coq 
experiments, we would say perfectly logically! 

One can notice that Concl holds also for m = 0. This theorem describes all the 
scene: "if Father makes its initial statement, then after the m th injunction, the agents 
who satisfy property /j know they do.". 
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5 The proof of the muddy children puzzle theorem 

In this section, we describe the mechanized proof previously summed up in more detail. 
Let c G N and m e {0, ...,c+ 1}. 

Lemma 2 (MultGainConn). Vce N* V; e {0, ...,m}, ^E^% -> [*]Egk j+ i 

Proof. By induction on c e N* : 

• Initialization : c = 1 , 

GainConn 

\—E G E G Xj — > [*}E G Xj+i 

• Heredity : Let c e N*, 



i — £'° +1 A, / - — > [*]£gVi 



Lemma 3 (ComlmpPartlt). Vc e N, h- C G p 
Proo/ By induction on c e N : 
• Initialization : c = 0, 

PointFixec 

I — C G p^> p A E G C G p 

AElim 



Cut 



□ 



I CgP ->■ P 

• Heredity : Let c G N, 



PointFixec HYP-REC 

-C G p->pAE G C G p ^C GP ^E n G p 
AElim ^— EDist 



■C G p^> E G C G p \— E G C G p -> £g + 1 p 

^C G p^£ G +1 p 



Cut 



□ 



Lemma 4 (PointlmpPartlt). Vc e N* , h- [n] TRUE -> P^A-i 
Proo/ Let c G N*. 

■ MCI i F — ComlmpPartlt 



■ [D]TRUE -> CXi I — C G A.i ->■ E G Xi 
Cut 

i — [d]true — > EqXi 



□ 
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Lemma 5 (PointlmpProgr). \/c>k\/je{l,...,k+l}, 
h- [n]TRUE -» [*]!- l E%- i+ % 

Proof. Let c > k. By induction on j 6 {1, ...,£ + 1} : 

• Initialization : 7 = 1, 

— PointbnpPartlt 

i — [d]true — > -EgA-i 

• Heredity : Let j e {l,...,m}, 



[0]TRUE -> H^-'fig - ^ 1 ^ k£ g £ g ~% -> [*]£ G ~% 



■ hyp-rec : ; MultGainConn 



+ 1 



- Id ; — ; — (j - 1) * DlSt 



- [n]TRUE -> [*]- / - 1 £ G £g % I — W ; "'£g£g %' W ;£ G 

Cur 

i — [!3]true — » [*y Eq~ j \j+-i 



From those lemma we get the following ones 
With j = m + 1 

Lemma 6 (Reslnten). Vc > m, \— [D]true -> [*] m £'^' 77 ^ m +i 

With c = m + 1 
Lemma 7 (Reslnter 2 ). I — [D]true -> [*} m E G X m+i 

And the muddy children puzzle theorem comes out (almost) easily. 
Theorem 8 (Concl). I — Vm e N V; e G, [a] TRUE -> [*] m (pi A^u ( ) 

ResInter 2 &MCl2 

h- [Q]irue -» [*] m £ G A, m +i A ( W ^^(£ m V£m+i)) 

— — PERSmci? 

h- [D]true -> [*] m £ G A, m +i A [*] m (fii ->*/(em Ve m +i)) 
^_ _ _ _ _ */ A Dist 



□ 



h- [D] true -» [*] m (£ G A, m +i A (m -> AT,- (e m Ve m +i))) , 

— (£g/> — > ^i'P) 

i — [D]true ^ [*] (/r,'Xm+i A (//j — > ^'(em Vem+i))) 

- (a A (fo — > c) — ► (b — > a Ac)) 

i — [D]true ► [*] (/j,- ► A'/A-m+i AA' i '(em Vem+i)) , 

K A Dist 

\— [a] true -> [*] m ( A /,- ^^(A,m+i A (e m Vem+i))) 

- A/ VDwf 

■ [D]true -> [*] m ( w -» ^-((A-m+i Ae m ) V (A, m +i Ae m +i))) 
-ppj— 7777; ; 7— — (A-m Aem — > Em+i) 



■ [dJtrue — > [*} {pi — > Ar,-((A,m+i Aem) Vem+i)) , 
— 777— - (EXCLUte) 



■ [d]true — > [*] (/J; — ► AT ( (_L Vem+i)) , 
" TrrTT " ~ (-L Vp - p) 



[D]true — > [*](//<■ — > AT ( em+i) 

— — — -MC2 

-[a]TRUE^ [*]%,- ^AT^) 



□ 
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6 The dynamic logic of common knowledge in COQ 



6.1 Implementation of T G 1 1 in COQ 

See the appendix for few words on COQ. The implementation presented in this paper 
is based on another implementation, namely this of the Logic of Common Knowl- 
edge done by the first author [ 18 1 who implemented all the epistemic multi-agent logic 
with common knowledge (system Tq), of which a COQ file is available on the web: 

|http : //per so . ens-lyon . fr /pier re . lescanne/COQ/EpistemicLogic . v"F| 
This paper comes out with its own COQ file: 
|http : / /per so . ens-lyon. fr /pier re ■ lescanne/COQ/EpistemicAndDynamicLogic . v| 
which implements the whole system T G ™ and a complete proof of the muddy children 
puzzle theorem Concl. 

6.2 Why this implementation? 

The first aim of this implementation was to ensure a reader that the proof is totally 
checkable. This lead to a proof of nearly 1 100 lines of COQ code, where every lemma 
is the direct translation of the hand-made proof for a maximal legibility. We do not 
claim that proof are readable as they would be in an English paper, a certain technicality 
is required for giving all the detail of the proof; however we claim that the statements 
of the lemmas are easily readable. 

As an added value, this implementation allows any future development by adding 
axioms or new modalities. This makes our work flexible and reusable. 

7 Conclusion 

The proof theoretic approach we have used in this paper combines easily epistemic and 
dynamic logics together, thanks to a general epistemic-dynamic axiom (KT1). (KT1) 
involves a commutativity between epistemic modality and a dynamic modality. In the 
current implementation of (KT1), type is not used to check whether the axiom is only 
invoked on purely epistemic propositions. In a future implementation, we will create a 
new type epistemic proposition on which (KT1) can only be invoked. 

After manipulating the logical system presented in this paper with the proof assis- 
tant COQ, we feel that it is quite simple and intuitive. It only uses axioms and rules 
from classical logic plus a few additional axioms and rules. Statements can be made in 
a language close to this of the hand proof. 

The dynamic logic of common knowledge is based on knowledge and events. In 
a formal statement, an event becomes a dynamic modality which transforms a propo- 
sition that describes the world before the event into a proposition that describes the 
world after that event. Said otherwise a dynamic modality transforms properties into 
others. Here we have limited our work to epistemic events which only transform agent 
knowledge, but this is not a big restriction, as this is what happens most of the time. 

We notice that we had to adapt the system for the specific situation generated by the 
muddy children puzzle. But this is no so different from situation where classical logic 
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or another system is used. However, conceptual tools or practical tools (for instance 
implemented in Coq) could be built to ease the task of the person who mechanizes a 
proof. 
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What is COQ? 

COQ is a proof assistant, i.e., a program which verifies step by step the validity of a 
mathematical proof given by the user. In logic, it is generally not obvious to follow a 
hand-made proof and to determine whether it is right or wrong 11261 . A proof assistant, 
such as COQ, becomes a necessary tool if one chooses to be absolutely sure of a result. 
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Moreover, Coq is a very good means to build proofs. Indeed, managing a proof 
step by step, as required by a proof assistant, allows us to understand in a very precise 
way what is done and what has to be done to complete a proof. Coq is also a way 
to reach a good formalism as it requires from the user to define exactly all what he 
manipulates. 

Excerpts of the Coq script 

Here is the statement of the main lemmas and of the last theorem Concl. 

Lemma GainConn : 

forall (G: list nat) (i j : nat), 

- E (i::G) (E (i::G) (lambda j)) ==> 

[*] (E (i: :G) (lambda (j+1) ) ) . 

Lemma MultGainConn : 

forall (G: list nat) (m i j : nat), 

- F ((m+l)+l) (i::G) (lambda j) ==> 

[*] (F (m+1) (i: :G) (lambda (j+1) ) ) . 

Lemma ComlmpPartlt : 

forall (p:proposition) (n:nat) (G: list nat), 

- C G p ==> F n G p. 

Lemma PointlmpPartlt : 

forall (G:list nat) (m:nat), 

- [] TRUE ==> F m G (lambda 1) . 

Lemma PointlmpProgr : 

forall (G:list nat) (i j n:nat), 

I- [] TRUE ==> [*]<:j:> (F (n+1) (i::G) (lambda (j+1) ) ). 

Lemma Concl : 

forall (G:list nat) (i j m : nat), In i (j::G) -> 

I- [] TRUE ==> [*]<:m:> (muddy i ==> (K i (muddy i) ) ) . 



15 



